There’s a New Reason to Never Keep Screenshots of Personal Information on Your Phone
If you have screenshots of login credentials or crypto seed phrases — or any other sensitive content — stored in your phone’s photo gallery, you should review and delete them. The image-based spyware campaign is being distributed through apps found in the Apple and Google Play app stores, as well as third-party sources.
SparkKitty malware , discovered by Kaspersky Lab and reported by Bleeping Computer , accesses photo galleries on iOS and Android devices, allowing it to extract images or data contained therein, possibly with the aim of stealing victims’ crypto assets and other compromising information.
SparkKitty Steals Images and Screenshots
If SparkKitty infects your iOS device, it will request permission to access your photo gallery, which if granted, will allow the program to monitor and extract new images. On Android, SparkKitty requests storage permissions to access images so that it can download images along with device identifiers and metadata. It can also use Google ML Kit’s optical character recognition (OCR) to specifically target images, such as screenshots that contain text.
SparkKitty is distributed via malicious apps that were found (and subsequently removed) in the Apple App Store and Google Play Store. Kaspersky also found malware in TikTok clones distributed via unofficial platforms that embed a variety of fake apps, including cryptocurrency stores, as well as gambling and casino apps.
SparkKitty may be an iteration of SparkCat, a photo-scanning malware that was first discovered earlier this year but has likely been circulating for some time. While SparkCat specifically targeted crypto wallets using OCR to identify keywords in text, SparkKitty appears to indiscriminately steal images from hacked galleries. Since some of SparkKitty’s delivery vectors were dedicated to cryptocurrency, Kaspersky researchers believe that cryptocurrency theft is still the primary goal, although the possibility of using other sensitive content for malicious purposes, such as ransomware, remains.
What you need to do
iOS and Android users can take steps to minimize or protect sensitive data stored on their devices, as well as limit the risk of becoming a victim of spyware like SparkKitty in the first place.
First of all, do not store photos or screenshots of your crypto phrase, login credentials, or any sensitive content in your photo gallery. This puts your accounts at risk if your device is compromised in any way, whether by malware or physical theft. Regular logins can be locked in a password manager behind multiple layers of security. Your crypto phrase can be most safely partitioned and saved offline.
You should also be careful when downloading apps to your device, whether from the Google Play and Apple App stores or unofficial sources. Unfortunately, you can’t trust everything you find even on trusted platforms. Look for red flags: check the developer’s history and read reviews carefully, especially if there are a lot of them compared to the number of downloads. Be wary of requests to access your photo gallery, especially if these permissions are unrelated to the app’s functionality. In fact, you should pay close attention to the permissions requested every time you install a new app — don’t just blindly allow them.
Finally, make sure you have Google Play Protect enabled on Android, which enables real-time threat detection , and keep an eye out for signs that your device is infected with malware .